RadAsyncUpload and Custom-body-field

Gururaj

I'm seeing that while uploading the file, RadAsyncUpload is also sending set of additional information as part of the payload (form-data fields) like "rauPostData", "fileName", "contentType", and others data pieces (see attachment).

I'm thinking whether it is possible to add additional custom fields to the payload mainly the CSRF token which will help me evaluate the authenticity of the file upload before it gets processed on the server.

I'm doing all CSRF validation through HttpModule and hence I cannot use Custom RadAsyncUpload Handler which for me is not a viable solution as the module will not let the request reach till this point.

Is there any degree of customization which can help me through this? Any help will be truly appreciated.

Gururaj

I'm afraid that's not a viable option for me as it leads to a security concern where the user (in worst case scenario the attacker) can upload a file without going through CSRF verification (though it is going to copy the file in a temporary file unless the submit button is clicked).

Gururaj

The architecture of the product involves doing CSRF verification before any requests gets processed. And in case of Custom Handler it is something which has to be done only when after the file has been uploaded and that also means a bespoke implementation due a limitation in the software.

Thanks for your help.

Plamen

Custom handler solution gives free customization of the file uploading where you are able to override the Process method and perform your logic before the file is processed - it provides possibility to use the layout of RadAsyncUpload and use custom logic for the upload of the files as you would do with any other upload component.

Hope this information will be helpful.

Regards,
Plamen
Telerik by Progress

Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.

Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks or appropriate markings.